@aldegad/safedeps 2.1.1 → 2.2.0

package/lib/gates/audit.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+set -euo pipefail
+
+# safedeps audit npm — generic npm lockfile audit.
+# Absorbed from kuma-studio scripts/security/run-npm-audit.sh.
+# Missing lockfile stays fail-closed (no reproducible verdict without it).
+
+REPO_ROOT=""
+AUDIT_LEVEL="${SAFEDEPS_NPM_AUDIT_LEVEL:-${KUMA_NPM_AUDIT_LEVEL:-moderate}}"
+
+usage() {
+  printf 'Usage: safedeps audit [npm] [--root <repo>] [--level <low|moderate|high|critical>]\n' >&2
+}
+
+while [ $# -gt 0 ]; do
+  case "$1" in
+    npm) shift ;; # allow `audit npm`
+    --root) REPO_ROOT="${2:?--root needs a path}"; shift 2 ;;
+    --level) AUDIT_LEVEL="${2:?--level needs a value}"; shift 2 ;;
+    -h|--help) usage; exit 0 ;;
+    *) usage; exit 64 ;;
+  esac
+done
+
+if [ -z "$REPO_ROOT" ]; then REPO_ROOT="$(pwd)"; fi
+REPO_ROOT="$(cd "$REPO_ROOT" && pwd)"
+cd "$REPO_ROOT"
+
+if [ ! -f package-lock.json ]; then
+  cat >&2 <<'EOF'
+ERROR: package-lock.json is missing, so npm audit cannot produce a reproducible dependency verdict.
+EOF
+  exit 1
+fi
+
+exec npm audit --audit-level="$AUDIT_LEVEL"

package/lib/gates/hooks.sh

@@ -0,0 +1,93 @@
+#!/bin/bash
+set -euo pipefail
+
+# safedeps hooks install|check — generic repo-local git hook activation.
+# Absorbed from kuma-studio scripts/security/{install,check}-hooks.sh.
+# The repo's privacy/secret policy lives in its own .githooks/pre-commit;
+# this command only manages hook activation, not the policy content.
+
+GATES_LIB_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+# shellcheck source=./repo-profile.sh
+source "$GATES_LIB_DIR/repo-profile.sh"
+
+SUB=""
+REPO_ROOT=""
+HOOKS_PATH=".githooks"
+AUTO=0
+
+usage() {
+  printf 'Usage: safedeps hooks <install|check> [--root <repo>] [--hooks-path <dir>] [--auto]\n' >&2
+}
+
+while [ $# -gt 0 ]; do
+  case "$1" in
+    install|check) SUB="$1"; shift ;;
+    --root) REPO_ROOT="${2:?--root needs a path}"; shift 2 ;;
+    --hooks-path) HOOKS_PATH="${2:?--hooks-path needs a dir}"; shift 2 ;;
+    --auto) AUTO=1; shift ;;
+    -h|--help) usage; exit 0 ;;
+    *) usage; exit 64 ;;
+  esac
+done
+
+if [ -z "$SUB" ]; then usage; exit 64; fi
+if [ -z "$REPO_ROOT" ]; then REPO_ROOT="$(pwd)"; fi
+REPO_ROOT="$(cd "$REPO_ROOT" && pwd)"
+
+if ! git -C "$REPO_ROOT" rev-parse --is-inside-work-tree >/dev/null 2>&1; then
+  if [ "$SUB" = "install" ] && [ "$AUTO" -eq 1 ]; then
+    printf 'safedeps hooks: skipped install (not a git worktree)\n'
+    exit 0
+  fi
+  printf 'ERROR: not inside a git worktree: %s\n' "$REPO_ROOT" >&2
+  exit 1
+fi
+
+HOOK_FILE="$REPO_ROOT/$HOOKS_PATH/pre-commit"
+
+case "$SUB" in
+  install)
+    if [ ! -f "$HOOK_FILE" ]; then
+      printf 'ERROR: hook file not found: %s\n' "$HOOK_FILE" >&2
+      printf '       the repo must provide its own %s/pre-commit policy.\n' "$HOOKS_PATH" >&2
+      exit 1
+    fi
+    chmod +x "$HOOK_FILE"
+    git -C "$REPO_ROOT" config core.hooksPath "$HOOKS_PATH"
+    printf 'safedeps hooks: installed repo-local git hooks at %s/%s\n' "$REPO_ROOT" "$HOOKS_PATH"
+    printf 'safedeps hooks: core.hooksPath = %s\n' "$(git -C "$REPO_ROOT" config --get core.hooksPath)"
+    ;;
+  check)
+    local_expected="$HOOKS_PATH"
+    actual="$(git -C "$REPO_ROOT" config --get core.hooksPath || true)"
+    if [ "$actual" != "$local_expected" ]; then
+      cat >&2 <<EOF
+ERROR: repo-local git hooks are not active.
+
+Expected core.hooksPath: $local_expected
+Actual core.hooksPath:   ${actual:-<unset>}
+
+Run:
+  safedeps hooks install --root "$REPO_ROOT"
+EOF
+      exit 1
+    fi
+    if [ ! -x "$HOOK_FILE" ]; then
+      printf 'ERROR: %s is not executable.\n' "$HOOK_FILE" >&2
+      exit 1
+    fi
+    if ! command -v gitleaks >/dev/null 2>&1; then
+      if ! command -v docker >/dev/null 2>&1 || ! docker info >/dev/null 2>&1; then
+        cat >&2 <<'EOF'
+ERROR: neither local gitleaks nor a running Docker daemon is available.
+
+Choose one:
+  brew install gitleaks
+  open -a Docker
+EOF
+        exit 1
+      fi
+    fi
+    printf 'safedeps hooks: active (core.hooksPath = %s)\n' "$local_expected"
+    ;;
+esac

package/lib/gates/repo-profile.sh

@@ -0,0 +1,60 @@
+#!/bin/bash
+# Generic repo security profile + gitleaks config resolution.
+# Absorbed from kuma-studio scripts/security/repo-profile.sh and made generic:
+# the private profile is detected by a "-private" suffix convention instead of a
+# hard-coded repo name, and overrides accept both SAFEDEPS_* and legacy KUMA_* env.
+
+safedeps_repo_profile() {
+  local repo_root="${1:?repo root required}"
+  local override="${SAFEDEPS_REPO_PROFILE:-${KUMA_SECURITY_REPO_PROFILE:-}}"
+
+  case "$override" in
+    public|private)
+      printf '%s\n' "$override"
+      return 0
+      ;;
+    "")
+      ;;
+    *)
+      printf 'ERROR: repo profile override must be "public" or "private", got: %s\n' "$override" >&2
+      return 64
+      ;;
+  esac
+
+  local origin_url repo_leaf
+  origin_url="$(git -C "$repo_root" remote get-url origin 2>/dev/null || true)"
+  repo_leaf="$(basename "$repo_root")"
+
+  # Convention: a repo whose origin slug or directory leaf ends in "-private" is
+  # the private profile (e.g. kuma-studio-private). Everything else is public.
+  if [[ "$origin_url" =~ (^|[/:-])[A-Za-z0-9._-]*-private(\.git)?$ ]] || [[ "$repo_leaf" == *-private ]]; then
+    printf 'private\n'
+    return 0
+  fi
+
+  printf 'public\n'
+}
+
+safedeps_gitleaks_config() {
+  local repo_root="${1:?repo root required}"
+  local profile="${2:?profile required}"
+  local override="${SAFEDEPS_GITLEAKS_CONFIG:-${KUMA_GITLEAKS_CONFIG:-}}"
+
+  if [ -n "$override" ]; then
+    printf '%s\n' "$override"
+    return 0
+  fi
+
+  case "$profile" in
+    private)
+      printf '%s/.gitleaks.private.toml\n' "$repo_root"
+      ;;
+    public)
+      printf '%s/.gitleaks.toml\n' "$repo_root"
+      ;;
+    *)
+      printf 'ERROR: unknown security profile: %s\n' "$profile" >&2
+      return 64
+      ;;
+  esac
+}

package/lib/gates/scan.sh

@@ -0,0 +1,94 @@
+#!/bin/bash
+set -euo pipefail
+
+# safedeps scan secrets — generic gitleaks runner.
+# Absorbed from kuma-studio scripts/security/run-gitleaks.sh and made generic:
+# repo root comes from --root (default: cwd), config from repo profile or override.
+# Preference order: local gitleaks binary -> Docker image (explicit, printed).
+
+GATES_LIB_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+# shellcheck source=./repo-profile.sh
+source "$GATES_LIB_DIR/repo-profile.sh"
+
+REPO_ROOT=""
+MODE="repo"
+CONFIG_OVERRIDE=""
+IMAGE="${SAFEDEPS_GITLEAKS_IMAGE:-${KUMA_GITLEAKS_IMAGE:-ghcr.io/gitleaks/gitleaks:latest}}"
+
+usage() {
+  printf 'Usage: safedeps scan secrets [--repo|--worktree|--staged] [--root <repo>] [--config <path>]\n' >&2
+}
+
+while [ $# -gt 0 ]; do
+  case "$1" in
+    --repo) MODE="repo"; shift ;;
+    --worktree) MODE="worktree"; shift ;;
+    --staged) MODE="staged"; shift ;;
+    --root) REPO_ROOT="${2:?--root needs a path}"; shift 2 ;;
+    --config) CONFIG_OVERRIDE="${2:?--config needs a path}"; shift 2 ;;
+    secrets) shift ;; # allow `scan secrets ...`
+    -h|--help) usage; exit 0 ;;
+    *) usage; exit 64 ;;
+  esac
+done
+
+if [ -z "$REPO_ROOT" ]; then REPO_ROOT="$(pwd)"; fi
+REPO_ROOT="$(cd "$REPO_ROOT" && pwd)"
+
+REPO_PROFILE="$(safedeps_repo_profile "$REPO_ROOT")"
+if [ -n "$CONFIG_OVERRIDE" ]; then
+  CONFIG_PATH="$CONFIG_OVERRIDE"
+else
+  CONFIG_PATH="$(safedeps_gitleaks_config "$REPO_ROOT" "$REPO_PROFILE")"
+fi
+CONFIG_BASENAME="$(basename "$CONFIG_PATH")"
+
+cd "$REPO_ROOT"
+
+if [ ! -f "$CONFIG_PATH" ]; then
+  printf 'ERROR: gitleaks config does not exist: %s\n' "$CONFIG_PATH" >&2
+  exit 1
+fi
+
+printf 'safedeps secret scan: profile=%s config=%s mode=%s\n' "$REPO_PROFILE" "$CONFIG_BASENAME" "$MODE" >&2
+
+SCAN_ROOT="$REPO_ROOT"
+
+LOCAL_ARGS=(git --no-banner --redact --verbose --config "$CONFIG_PATH")
+DOCKER_ARGS=(git --no-banner --redact --verbose --config "/repo/$CONFIG_BASENAME")
+
+if [ "$MODE" = "staged" ]; then
+  LOCAL_ARGS+=(--pre-commit --staged)
+  DOCKER_ARGS+=(--pre-commit --staged)
+elif [ "$MODE" = "worktree" ]; then
+  LOCAL_ARGS=(dir --no-banner --redact --verbose --config "$CONFIG_PATH")
+  DOCKER_ARGS=(dir --no-banner --redact --verbose --config "/repo/$CONFIG_BASENAME")
+fi
+
+LOCAL_ARGS+=("$SCAN_ROOT")
+if [ "$MODE" = "worktree" ]; then
+  DOCKER_ARGS+=("/repo")
+else
+  DOCKER_ARGS+=(/repo)
+fi
+
+if command -v gitleaks >/dev/null 2>&1; then
+  gitleaks "${LOCAL_ARGS[@]}"
+  exit $?
+fi
+
+if command -v docker >/dev/null 2>&1 && docker info >/dev/null 2>&1; then
+  docker run --rm -v "$REPO_ROOT:/repo" -w /repo "$IMAGE" "${DOCKER_ARGS[@]}"
+  exit $?
+fi
+
+cat >&2 <<EOF
+ERROR: gitleaks is not available.
+
+Choose one:
+1. Install locally: brew install gitleaks
+2. Or start Docker so the scan can use: $IMAGE
+
+The scan is blocked (fail-closed) until a scanner is available.
+EOF
+exit 1

package/lib/ledger/ledger.sh

@@ -183,16 +183,23 @@ safedeps_ledger_check() {
 
 safedeps_ledger_atomic_write() {
   local target_path="$1"
-  local temp_path="${target_path}.$$"
+  local target_dir
+  local target_base
+  local temp_path
 
   safedeps_ledger_init
+  target_dir=$(dirname "${target_path}")
+  target_base=$(basename "${target_path}")
+  mkdir -p "${target_dir}" || return 1
+  temp_path=$(mktemp "${target_dir}/.${target_base}.XXXXXX") || return 1
+
   cat > "${temp_path}"
   chmod 600 "${temp_path}" 2>/dev/null || true
   safedeps_ledger_validate_json "${temp_path}" || {
     rm -f "${temp_path}"
     return 1
   }
-  mv "${temp_path}" "${target_path}"
+  mv -f "${temp_path}" "${target_path}"
 }
 
 safedeps_ledger_write_approved_spec() {
@@ -203,11 +210,13 @@ safedeps_ledger_write_approved_spec() {
   local approved_by="${5:-local}"
   local evidence_file="${6:-}"
   local ttl_days="${7:-${SAFEDEPS_LEDGER_DEFAULT_TTL_DAYS}}"
+  local transitive_specs_file="${8:-}"
   local approved_at
   local expires_at
   local hash
   local target_path
   local evidence_arg=()
+  local transitive_arg=()
 
   safedeps_ledger_require_jq || return 1
   safedeps_ledger_init
@@ -227,6 +236,20 @@ safedeps_ledger_write_approved_spec() {
     evidence_arg=(--argjson evidence '{}')
   fi
 
+  if [[ -n "${transitive_specs_file}" ]]; then
+    [[ -f "${transitive_specs_file}" ]] || {
+      printf 'safedeps ledger: transitive specs file not found: %s\n' "${transitive_specs_file}" >&2
+      return 1
+    }
+    jq -e 'type == "array"' "${transitive_specs_file}" >/dev/null || {
+      printf 'safedeps ledger: transitive specs file must be a JSON array: %s\n' "${transitive_specs_file}" >&2
+      return 1
+    }
+    transitive_arg=(--slurpfile transitive_specs "${transitive_specs_file}")
+  else
+    transitive_arg=(--argjson transitive_specs '[]')
+  fi
+
   if [[ -n "${evidence_file}" ]]; then
     jq -cn \
       --arg hash "${hash}" \
@@ -238,6 +261,7 @@ safedeps_ledger_write_approved_spec() {
       --arg expires_at "${expires_at}" \
       --arg approved_by "${approved_by}" \
       "${evidence_arg[@]}" \
+      "${transitive_arg[@]}" \
       '{
         hash: $hash,
         ecosystem: $ecosystem,
@@ -248,7 +272,11 @@ safedeps_ledger_write_approved_spec() {
         expires_at: $expires_at,
         approved_by: $approved_by,
         evidence: ($evidence[0] // {}),
-        transitive_specs: []
+        transitive_specs: (($transitive_specs[0] // $transitive_specs) | map({
+          ecosystem: (.ecosystem // $ecosystem),
+          package: .package,
+          version: (.version | tostring)
+        }) | unique_by(.ecosystem + "\u0000" + .package + "\u0000" + .version))
       }' | safedeps_ledger_atomic_write "${target_path}"
   else
     jq -cn \
@@ -261,6 +289,7 @@ safedeps_ledger_write_approved_spec() {
       --arg expires_at "${expires_at}" \
       --arg approved_by "${approved_by}" \
       "${evidence_arg[@]}" \
+      "${transitive_arg[@]}" \
       '{
         hash: $hash,
         ecosystem: $ecosystem,
@@ -271,39 +300,84 @@ safedeps_ledger_write_approved_spec() {
         expires_at: $expires_at,
         approved_by: $approved_by,
         evidence: $evidence,
-        transitive_specs: []
+        transitive_specs: (($transitive_specs[0] // $transitive_specs) | map({
+          ecosystem: (.ecosystem // $ecosystem),
+          package: .package,
+          version: (.version | tostring)
+        }) | unique_by(.ecosystem + "\u0000" + .package + "\u0000" + .version))
       }' | safedeps_ledger_atomic_write "${target_path}"
   fi
 
   cat "${target_path}"
 }
 
+safedeps_ledger_effect_check() {
+  local ecosystem="$1"
+  local package_name="$2"
+  local version="$3"
+  local ledger_file
+  local now_iso
+
+  safedeps_ledger_require_jq || return 1
+  safedeps_ledger_init
+  now_iso=$(safedeps_ledger_now_iso)
+
+  while IFS= read -r -d '' ledger_file; do
+    safedeps_ledger_validate_json "${ledger_file}" || continue
+    safedeps_ledger_is_expired_file "${ledger_file}" && continue
+    if jq -e \
+      --arg ecosystem "${ecosystem}" \
+      --arg package "${package_name}" \
+      --arg version "${version}" \
+      '
+      (.revoked_at // "") == ""
+      and (
+        (.ecosystem == $ecosystem and .package == $package and .version == $version)
+        or (((.transitive_specs // []) | map(select(
+          (.ecosystem // $ecosystem) == $ecosystem
+          and .package == $package
+          and (.version | tostring) == $version
+        )) | length) > 0)
+      )
+    ' \
+      "${ledger_file}" >/dev/null; then
+      jq -cn \
+        --arg owner_hash "$(jq -r '.hash' "${ledger_file}")" \
+        --arg owner_package "$(jq -r '.package' "${ledger_file}")" \
+        --arg owner_version "$(jq -r '.version' "${ledger_file}")" \
+        --arg checked_at "${now_iso}" \
+        '{approved:true, reason:"hit", owner_hash:$owner_hash, owner_package:$owner_package, owner_version:$owner_version, checked_at:$checked_at}'
+      return 0
+    fi
+  done < <(find "${SAFEDEPS_LEDGER_DIR}" -maxdepth 1 -name '*.json' -type f -print0 2>/dev/null)
+
+  jq -cn \
+    --arg ecosystem "${ecosystem}" \
+    --arg package "${package_name}" \
+    --arg version "${version}" \
+    --arg checked_at "${now_iso}" \
+    '{approved:false, reason:"miss", ecosystem:$ecosystem, package:$package, version:$version, checked_at:$checked_at}'
+  return 1
+}
+
 safedeps_ledger_revoke() {
   local ecosystem="$1"
   local package_name="$2"
   local version="$3"
   local reason="${4:-revoked}"
   local ledger_file
-  local temp_path
   local revoked_at
 
   ledger_file=$(safedeps_ledger_path "${ecosystem}" "${package_name}" "${version}")
   [[ -f "${ledger_file}" ]] || return 1
   safedeps_ledger_validate_json "${ledger_file}" || return 1
 
-  temp_path="${ledger_file}.$$"
   revoked_at=$(safedeps_ledger_now_iso)
   jq \
     --arg revoked_at "${revoked_at}" \
     --arg reason "${reason}" \
     '. + {revoked_at: $revoked_at, revoked_reason: $reason, expires_at: $revoked_at}' \
-    "${ledger_file}" > "${temp_path}"
-  chmod 600 "${temp_path}" 2>/dev/null || true
-  safedeps_ledger_validate_json "${temp_path}" || {
-    rm -f "${temp_path}"
-    return 1
-  }
-  mv "${temp_path}" "${ledger_file}"
+    "${ledger_file}" | safedeps_ledger_atomic_write "${ledger_file}"
   cat "${ledger_file}"
 }
 
@@ -325,12 +399,16 @@ if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then
       safedeps_ledger_check "$@"
       ;;
     approve)
-      if [[ "$#" -lt 3 || "$#" -gt 7 ]]; then
-        printf 'usage: %s approve <ecosystem> <package> <version> [version_range] [approved_by] [evidence_file] [ttl_days]\n' "$0" >&2
+      if [[ "$#" -lt 3 || "$#" -gt 8 ]]; then
+        printf 'usage: %s approve <ecosystem> <package> <version> [version_range] [approved_by] [evidence_file] [ttl_days] [transitive_specs_file]\n' "$0" >&2
         exit 2
       fi
       safedeps_ledger_write_approved_spec "$@"
       ;;
+    effect-check)
+      [[ "$#" -eq 3 ]] || { printf 'usage: %s effect-check <ecosystem> <package> <version>\n' "$0" >&2; exit 2; }
+      safedeps_ledger_effect_check "$@"
+      ;;
     revoke)
       if [[ "$#" -lt 3 || "$#" -gt 4 ]]; then
         printf 'usage: %s revoke <ecosystem> <package> <version> [reason]\n' "$0" >&2
@@ -339,7 +417,7 @@ if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then
       safedeps_ledger_revoke "$@"
       ;;
     *)
-      printf 'usage: %s {hash|path|check|approve|revoke} ...\n' "$0" >&2
+      printf 'usage: %s {hash|path|check|effect-check|approve|revoke} ...\n' "$0" >&2
       exit 2
       ;;
   esac

package/lib/npm/closure.sh

@@ -0,0 +1,115 @@
+#!/usr/bin/env bash
+# npm dependency closure helpers for safedeps.
+
+set -euo pipefail
+
+safedeps_npm_require_jq() {
+  if ! command -v jq >/dev/null 2>&1; then
+    printf 'safedeps npm closure: jq is required\n' >&2
+    return 1
+  fi
+}
+
+safedeps_npm_lock_closure() {
+  local lockfile="$1"
+  local direct_package="${2:-}"
+
+  safedeps_npm_require_jq || return 1
+  [[ -f "${lockfile}" ]] || {
+    printf 'safedeps npm closure: lockfile not found: %s\n' "${lockfile}" >&2
+    return 1
+  }
+
+  jq -c --arg direct_package "${direct_package}" '
+    def package_name_from_path($path):
+      ($path | split("node_modules/") | last) as $tail
+      | if ($tail | startswith("@")) then
+          ($tail | split("/") | .[0:2] | join("/"))
+        else
+          ($tail | split("/") | .[0])
+        end;
+
+    if ((.packages // null) | type) == "object" then
+      [
+        .packages
+        | to_entries[]
+        | select(.key != "")
+        | select((.value.version // "") != "")
+        | {
+            ecosystem: "npm",
+            package: (.value.name // package_name_from_path(.key)),
+            version: (.value.version | tostring)
+          }
+        | select(.package != "" and .version != "")
+        | . + {direct: (.package == $direct_package)}
+      ]
+      | unique_by(.ecosystem + "\u0000" + .package + "\u0000" + .version)
+      | sort_by(.package, .version)
+    else
+      []
+    end
+  ' "${lockfile}"
+}
+
+safedeps_npm_fixture_closure() {
+  local package_name="$1"
+  local version="$2"
+  local fixture_file="${SAFEDEPS_NPM_CLOSURE_FIXTURE_JSON:-}"
+  local key="${package_name}@${version}"
+
+  [[ -n "${fixture_file}" && -f "${fixture_file}" ]] || return 1
+  jq -e -c --arg key "${key}" --arg package "${package_name}" '
+    if type == "object" and (.[$key] | type) == "array" then
+      .[$key]
+    elif type == "array" then
+      .
+    else
+      empty
+    end
+    | map(. + {ecosystem: (.ecosystem // "npm"), direct: ((.direct // false) or (.package == $package))})
+    | unique_by(.ecosystem + "\u0000" + .package + "\u0000" + (.version | tostring))
+    | sort_by(.package, .version)
+  ' "${fixture_file}"
+}
+
+safedeps_npm_resolve_spec_closure() {
+  local package_name="$1"
+  local version="$2"
+  local tmp_dir
+  local lockfile
+
+  safedeps_npm_require_jq || return 1
+
+  if safedeps_npm_fixture_closure "${package_name}" "${version}"; then
+    return 0
+  fi
+
+  if ! command -v npm >/dev/null 2>&1; then
+    printf 'safedeps npm closure: npm CLI is required\n' >&2
+    return 1
+  fi
+
+  tmp_dir=$(mktemp -d "${TMPDIR:-/tmp}/safedeps-npm-closure.XXXXXX") || return 1
+
+  printf '{"name":"safedeps-closure-probe","version":"0.0.0","private":true}\n' > "${tmp_dir}/package.json"
+  if ! (
+    cd "${tmp_dir}" &&
+      npm install "${package_name}@${version}" \
+        --package-lock-only \
+        --ignore-scripts \
+        --audit=false \
+        --fund=false \
+        --save-exact \
+        >/dev/null
+  ); then
+    printf 'safedeps npm closure: npm lockfile resolution failed for %s@%s\n' "${package_name}" "${version}" >&2
+    rm -rf "${tmp_dir}"
+    return 1
+  fi
+
+  lockfile="${tmp_dir}/package-lock.json"
+  safedeps_npm_lock_closure "${lockfile}" "${package_name}"
+  local status=$?
+  rm -rf "${tmp_dir}"
+  return "${status}"
+}